Check access to instance-level vulnerability export APIs

We restrict access to these endpoints if the `security_dashboard` feature is not available.

Check access to instance-level vulnerability export APIs
We restrict access to these endpoints if the `security_dashboard` feature is not available.
30886a18 · Mehmet Emin INAC · f1d253c1 · 30886a18 · 30886a18 · 30886a18
Commit 30886a18 authored May 05, 2020 by Mehmet Emin INAC
3 changed files
--- a/ee/app/policies/instance_security_dashboard_policy.rb
+++ b/ee/app/policies/instance_security_dashboard_policy.rb
 # frozen_string_literal: true

 class InstanceSecurityDashboardPolicy < BasePolicy
-  rule { ~anonymous }.policy do
-    enable :read_instance_security_dashboard
-    enable :create_vulnerability_export
+  with_scope :global
+  condition(:security_dashboard_enabled) do
+    License.feature_available?(:security_dashboard)
  end
+
+  rule { ~anonymous }.enable :read_instance_security_dashboard
+  rule { security_dashboard_enabled & can?(:read_instance_security_dashboard) }.enable :create_vulnerability_export
 end
--- a/ee/lib/api/vulnerability_exports.rb
+++ b/ee/lib/api/vulnerability_exports.rb
@@ -53,18 +53,24 @@ module API
        end
      end

-      params do
-        optional :export_format, type: String, desc: 'The format of export to be generated',
-                 default: ::Vulnerabilities::Export.formats.each_key.first,
-                 values: ::Vulnerabilities::Export.formats.keys
-      end
-      desc 'Generate an instance level export' do
-        success EE::API::Entities::VulnerabilityExport
-      end
-      post 'vulnerability_exports' do
-        authorize! :create_vulnerability_export, current_user.security_dashboard
+      namespace do
+        before do
+          not_found! unless Feature.enabled?(:first_class_vulnerabilities)
+        end
+
+        params do
+          optional :export_format, type: String, desc: 'The format of export to be generated',
+                   default: ::Vulnerabilities::Export.formats.each_key.first,
+                   values: ::Vulnerabilities::Export.formats.keys
+        end
+        desc 'Generate an instance level export' do
+          success EE::API::Entities::VulnerabilityExport
+        end
+        post 'vulnerability_exports' do
+          authorize! :create_vulnerability_export, current_user.security_dashboard

-        process_create_request_for(current_user.security_dashboard)
+          process_create_request_for(current_user.security_dashboard)
+        end
      end

      desc 'Get single project vulnerability export' do

--- a/ee/spec/requests/api/vulnerability_exports_spec.rb
+++ b/ee/spec/requests/api/vulnerability_exports_spec.rb
@@ -118,6 +118,8 @@ describe API::VulnerabilityExports do
        end
      end
    end
+
+    it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
  end

  describe 'GET /security/vulnerability_exports/:id' do